“In terms of the sophistication of the attack, this is a big deal,” Mr. Frons said. “It’s sort oflike breaking into the local savings and loan versus breaking into Fort Knox. A domainregistrar should have extremely tight security because they are holding the security tohundreds if not thousands of Web sites.”

•Stream ciphers encrypt a bit, byte, or block at atime, but the transformation that is performed ona bit, byte, or block varies depending on positionin the input stream and possibly the earlier blocksin the stream.

is winning its long-running secret war on encryption, using supercomputers, technical trickery,court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everydaycommunications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce andbanking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Websearches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume—

or have been assured by Internet companies—

that their data is safe from prying eyes, including thoseof the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protectedinformation as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-namedBullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers tobreak codes, and began collaborating with technology companies in the United States and abroad to build entry points intotheir products. The documents do not identify which companies have participated

.

But some experts say the N.S.A.’s campaign to bypass and weaken communications security may have serious unintendedconsequences. They say the agency is working at cross-purposes with its other major mission, apart from eavesdropping:ensuring the security of American communications.

“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, acryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”

The technology would be most efficient if used as part of a two-factor authentication system, not alone

By LucianConstantin

–

ComputerWorld

-

September 10, 2013 07:45 PM ET

•IDG News Service-

The fingerprint sensor in Apple's new iPhone 5s has the potential to enhance the securityof the device, but the devil will be in the details. Its effectiveness will depend on the strength of theimplementation and whether it's used in conjunction with other security credentials, researchers said. Appleunveiled the iPhone 5s, which has a fingerprint sensor dubbed Touch ID built into the home button. Thesensor will allow users to use their fingerprints instead of a password to unlock the device and makepurchases on iTunes.

•It's not clear if the feature will also be used in other scenarios that have yet to be revealed or if third-partyapplications will also be able to use it to authenticate users. In presenting the technology Tuesday, Applesaid the fingerprint data is encrypted and locked in the device's new A7 chip, that it's never directlyaccessible to software and that it's not stored on Apple's servers or backed up toiCloud.

•"Common attacks against fingerprint readers include using photos of fingers or creating fingerprint moldsbased on captured prints," said DirkSigurdson, director of engineering for theMobilisafe

mobile riskmanagement technology at security firm Rapid7, via email. "Hopefully the iPhone sensor will have strongprotections against using copied fingers.“ Fingerprint technology is not a high-security feature, said MarcRogers, principal security researcher at mobile security firm Lookout. That's why most military installations,for example, use hand geometry or retina scanners instead, he said.

•The best single factor of authentication is a strong password stored only in the user's brain, but it'sinherently difficult for people to create and remember strong passwords,Sigurdson

said. This often results inbad passwords being used, so a good fingerprint reader and matching algorithm will likely improve thesecurity ofiOS

devices, he said. Rogers believes fingerprints could add great security if they're used inconjunction with other security credentials as part of two-factor authentication.

•For example, Apple could allow users to set a strong, complex password that's used to encrypt the filesystem and which would need to be entered only when the device is switched on. The user's fingerprintcould then be used as a medium-strength access credential to unlock the device when it's on and needs to beused. This would provide both security and convenience for users, Rogers said.

In the latest fallout from Edward Snowden's intelligence disclosures,a major U.S. computer security company warned customers on Thursday to stop using softwarethat relies on a weak mathematical formula developed by the National Security Agency.

RSA, the security arm of storage company EMC Corp, told current customers in an email that atoolkit for developers had a default random-number generator using the weak formula, and thatcustomers should switch to one of several other formulas in the product.

Last week, the New York Times reported that Snowden's cache of documents from his timeworking for an NSA contractor showed that the agency used its public participation in the processfor setting voluntary cryptography standards, run by the government's National Institute ofStandards and Technology, to push for a formula that it knew it could break.

NIST, which accepted the NSA proposal in 2006 as one of four systems acceptable for governmentuse, this week said it would reconsider that inclusion in the wake of questions about its security.

Developers who used RSA's "BSAFE" kit wrote code for Web browsers, other software, andhardware components to increase their security. Random numbers are a core part of muchmodern cryptography, and the ability to guess what they are renders those formulas vulnerable.

The NSA-promoted formula was odd enough that some experts speculated for years that it wasflawed by design. A person familiar with the process told Reuters that NIST accepted it in partbecause many government agencies were already using it.